Re: New official link-layer type request

[Guy Harris <gharris () sonic net>]

On May 11, 2019, at 3:42 PM, Michael Richardson <mcr () sandelman ca> wrote:

> Also, it might be that pcapng would actually be a really good container for
> your work rather than inventing yet-another-TLV.

Are there any law enforcement agencies that *will* accept a pcap file but *won't* accept a pcapng file?  *If* that's 
the case, that would prevent pcapng from being used, but if it's *not* the case, that might mean pcapng could be used.

If we *do* use pcapng, that would mean that:

        1) Wireshark wouldn't be able to read the lawful intercept information in the files until support for new block 
types and options are added to it;

        2) tcpdump wouldn't be able to read the lawful intercept information in the files until we add full pcapng 
support (with new APIs) to libpcap, including support for the new block types and options, and add support for the new 
APIs, and for the new block types and options, to tcpdump;

        3) other programs that currently read pcap files would need to be able to read pcapng to read those files at 
all, and that support for pcapng would have to include the new block types and options in order to read the lawful 
intercept information.

To be fair, those programs would *also* have to be modified to handle LINKTYPE_ELEE - and programs that can read pcapng 
would at least be able to read the intercepted packets without change, assuming they just ignore unknown block and 
option types (which they should do!).
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers